From 92b78f7c152eda35970bb139c212dfa6ead8ac09 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Sun, 15 Oct 2017 16:34:39 +0200 Subject: [PATCH] Enable secure and httpOnly option for sessions These are 2 measures for improving security of cookies. One is used to not send the cookie over HTTP (only HTTPS) and the other tells the browser to disallow client-side code accessing the cookie. --- docker-compose.yml | 2 ++ example/authelia/docker-compose.yml | 2 ++ example/nginx/nginx.conf | 6 ++++++ server/src/index.ts | 2 -- server/src/lib/Server.ts | 6 +++--- server/src/lib/configuration/SessionConfigurationBuilder.ts | 3 ++- server/test/SessionConfigurationBuilder.test.ts | 6 ++++-- 7 files changed, 19 insertions(+), 8 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3c8717131..a76ee46ea 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,6 +5,8 @@ services: restart: always volumes: - ./config.template.yml:/etc/authelia/config.yml:ro + environment: + - NODE_TLS_REJECT_UNAUTHORIZED=0 depends_on: - redis networks: diff --git a/example/authelia/docker-compose.yml b/example/authelia/docker-compose.yml index 9f1f1cb5d..7c68dec9a 100644 --- a/example/authelia/docker-compose.yml +++ b/example/authelia/docker-compose.yml @@ -6,6 +6,8 @@ services: volumes: - ./config.template.yml:/etc/authelia/config.yml:ro - ./notifications:/var/lib/authelia/notifications + environment: + - NODE_TLS_REJECT_UNAUTHORIZED=0 depends_on: - redis networks: diff --git a/example/nginx/nginx.conf b/example/nginx/nginx.conf index a1ec3dbc2..5e8a0496b 100644 --- a/example/nginx/nginx.conf +++ b/example/nginx/nginx.conf @@ -35,6 +35,7 @@ http { proxy_set_header X-Original-URI $request_uri; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://authelia/; @@ -73,6 +74,7 @@ http { internal; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header Content-Length ""; @@ -126,6 +128,7 @@ http { internal; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header Content-Length ""; @@ -162,6 +165,7 @@ http { internal; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header Content-Length ""; @@ -198,6 +202,7 @@ http { internal; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header Content-Length ""; @@ -234,6 +239,7 @@ http { internal; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header Content-Length ""; diff --git a/server/src/index.ts b/server/src/index.ts index b5a20ac52..429cc8578 100755 --- a/server/src/index.ts +++ b/server/src/index.ts @@ -1,7 +1,5 @@ #! /usr/bin/env node -process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; - import Server from "./lib/Server"; import { GlobalDependencies } from "../types/Dependencies"; import YAML = require("yamljs"); diff --git a/server/src/lib/Server.ts b/server/src/lib/Server.ts index 5d80e3322..f043d4f33 100644 --- a/server/src/lib/Server.ts +++ b/server/src/lib/Server.ts @@ -23,8 +23,8 @@ import * as http from "http"; const addRequestId = require("express-request-id")(); // Constants - const TRUST_PROXY = "trust proxy"; +const X_POWERED_BY = "x-powered-by"; const VIEWS = "views"; const VIEW_ENGINE = "view engine"; const PUG = "pug"; @@ -54,9 +54,9 @@ export default class Server { app.use(BodyParser.json()); app.use(deps.session(expressSessionOptions)); app.use(addRequestId); - app.disable("x-powered-by"); + app.disable(X_POWERED_BY); + app.enable(TRUST_PROXY); - app.set(TRUST_PROXY, 1); app.set(VIEWS, viewsDirectory); app.set(VIEW_ENGINE, PUG); diff --git a/server/src/lib/configuration/SessionConfigurationBuilder.ts b/server/src/lib/configuration/SessionConfigurationBuilder.ts index 3560cbb2b..bee21c764 100644 --- a/server/src/lib/configuration/SessionConfigurationBuilder.ts +++ b/server/src/lib/configuration/SessionConfigurationBuilder.ts @@ -12,7 +12,8 @@ export class SessionConfigurationBuilder { resave: false, saveUninitialized: true, cookie: { - secure: false, + secure: true, + httpOnly: true, maxAge: configuration.session.expiration, domain: configuration.session.domain }, diff --git a/server/test/SessionConfigurationBuilder.test.ts b/server/test/SessionConfigurationBuilder.test.ts index bae332347..c5a8cd91d 100644 --- a/server/test/SessionConfigurationBuilder.test.ts +++ b/server/test/SessionConfigurationBuilder.test.ts @@ -73,7 +73,8 @@ describe("test session configuration builder", function () { resave: false, saveUninitialized: true, cookie: { - secure: false, + secure: true, + httpOnly: true, maxAge: 3600, domain: "example.com" } @@ -153,7 +154,8 @@ describe("test session configuration builder", function () { resave: false, saveUninitialized: true, cookie: { - secure: false, + secure: true, + httpOnly: true, maxAge: 3600, domain: "example.com" },